Signing policy

Last updated: 2005-02-21

Preliminaries

This policy is valid for all signatures made by the OpenPGP keys listed above.

Prerequisites for signing

The signee (i.e. the key holder who wishes to obtain a signature from me, the signer) must make his/her OpenPGP public key available on a publicly accessible keyserver, such as the .pgp.net servers. Furthermore, for totally unknown persons, there must already be a signature path from me to this key. People wishing to enter the strongly connected set should do so through better authentication, if possible through someone they know personally.

The signee must prove his/her identity to me by way of a national ID card, a driver's licence, or a similar token. The token must feature a photographic picture of the signee.

For people from outside the European Union, only a combination of at least two of the above tokens will be accepted (since I can't assess their risk of fraud). Exceptions will be made when the signee can come up with other means of proof of identity. But at least one of the above tokens will stay the minimum requirement.

The signee should have prepared a strip of paper with a printout of the output

gpg --list-keys --with-fingerprint 0x6789ABCD

(or an equivalent command if you're not using GnuPG), where 0x6789ABCD is the key ID of the key that is to be signed.

A hand-written sheet featuring all user ID's the signee wants me to sign and the fingerprint will also be accepted.

The above must take place under reasonable circumstances.

The signee should be willing to cross-sign with me.

The act of signing

After having received (or exchanged) the proof detailed in the above, I will sign the sheet of paper myself to avoid fraud.

At home, I will send one email to each of the mail addresses featured in the user ID's that I was asked to sign. They contain random strings and will be signed by me and encrypted to the public key whose fingerprint is printed on the paper.

Upon reception of encrypted and signed replies, I will check the returned random string for equality with what I sent.

User IDs that pass the above test are signed. If one of the user IDs fails the test, a warning is sent to one of the other userID's addresses and the procedure is halted until a satisfactory explanation has been received or the procedure has been cancelled by the signee.

The signed keyblock is uploaded to a randomly chosen set of keyservers. The signee may hint on what key server or choose to receive it through mail instead.

Levels of signatures

Depending on the character of the key which is to be signed by me I will use different levels of signatures:

Level 3

A level of 3 is given to sign-and-encrypt keys which successfully pass all the checks: I have met the signee, I have verified his/her identity card and fingerprint and his/her reply to my verification mails (being sent to the UIDs) has been correct. These signatures are the strongest in my web of trust. Photographic UIDs are also going to be signed with a level of 3 if I can still remember the signee's face when I will be back at home.

Level 2

A level of 2 is given to sign-only keys. Usually their UIDs are of the type "Firstname Lastname" and not "Firstname Lastname <user@mailaddress.invalid>" which means that I can't (automatically) send verification mails to them. Besides encryption can't be used for these keys as they are sign-only. Please note that although these keys only get a level of 2 I have met the signee in real life and successfully verified his/her fingerprint and identity card.

Level 1

If I have had contact with someone through signed or encrypted e-mail over a time long enough to rule out at least temporary man-in-the-middle attacks, and I have verified the key with a key downloaded from his/her personal web page, or signed emails/fingerprints on public mailing lists, but I have not met the person or verified the key in any other way, I may sign the key with cert check level one.

Level 0

A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and can't be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust.